← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #76410

[Bug 1015819] Re: sb_sasl_generic_pkt_length: received illegal packet length when using ldapsearch and sasl with ssl or tls

  Thread PreviousDate PreviousThread Next 
I can confirm that this bug is still present in the most recent versions
of OpenLDAP and SASL. Johnny Westerlund's statement is correct but the
tip isn't.

Here is the deal: https://msdn.microsoft.com/en-us/library/cc223500.aspx

Active Directory does not support GSS-API integrity/confidentiality over TLS encrypted sockets. Unfortumately, you cannot disable integrity in SASL. It is enabled by default. maxssf=0 does not work and gives you: ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)

Here is the code in question: https://github.com/michael-o/cyrus-
sasl/blob/master/plugins/gssapi.c#L1586-L1596

FWIT: This fails on RHEL, FreeBSD and HP-UX, it fails everywhere with
MIT Kerberos.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1015819

Title:
  sb_sasl_generic_pkt_length: received illegal packet length when using
  ldapsearch and sasl with ssl or tls

Status in cyrus-sasl2 package in Ubuntu:
  Confirmed

Bug description:
  [Status]

  This bug needs a developer to reproduce the problem and locate the
  root cause.

  [Workaround]

  Unknown.

  [Missing]

  Exact steps to reproduce.

  [Description]

  Not sure if this is a problem with openldap or cyrus-sasl2 at this
  point.

  Using sasl binding only works with ldapsearch when not using ssl or
  tls.  If either ssl or tls is used I see this ouput from -d 1 from
  ldapsearch:

  sb_sasl_generic_pkt_length: received illegal packet length of 813957120 bytes
  sasl_generic_read: want=16, got=16
    0000:  00 7e 02 01 00 78 84 00  00 00 5d 0a 01 02 04 00   .~...x....].....
  sb_sasl_cyrus_decode: failed to decode packet: generic failure
  sb_sasl_generic_read: failed to decode packet
  ldap_read: want=8 error=Input/output error

  # numResponses: 0
  ldap_result: Can't contact LDAP server (-1)
  tls_write: want=165 error=Connection reset by peer
  tls_write: want=165 error=Bad file descriptor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819/+subscriptions
  Thread PreviousDate PreviousThread Next